remove insufficitient license gathering (#32)

see #22

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

README.md

@@ -68,8 +68,6 @@ $ yarn CycloneDX make-sbom
                          (default: true if the NODE_ENV environment variable is set to "production", otherwise false)
   --mc-type #0           Type of the main component.
                          (choices: "application", "framework", "library", "container", "platform", "device-driver", default: "application")
-  --licenses             Include license information for components in generated SBOM.
-                         License information will always be absent for components that don't specify licenses unambiguously.
   --reproducible         Whether to go the extra mile and make the output reproducible.
                          This might result in loss of time- and random-based values.
 

package.json

@@ -15,7 +15,6 @@
     "@yarnpkg/fslib": "^3.0.2",
     "clipanion": "^4.0.0-rc.3",
     "packageurl-js": "^1.2.1",
-    "spdx-license-ids": "^3.0.17",
     "xmlbuilder2": "^3.1.1"
   },
   "devDependencies": {

sources/index.ts

@@ -69,10 +69,6 @@ class SBOMCommand extends BaseCommand {
     description: 'Type of the main component.\n(choices: "application", "framework", "library", "container", "platform", "device-driver", default: "application")'
   })
 
-  licenses = Option.Boolean('--licenses', false, {
-    description: 'Include license information for components in generated SBOM.\nLicense information will always be absent for components that don\'t specify licenses unambiguously.'
-  })
-
   reproducible = Option.Boolean('--reproducible', false, {
     description: 'Whether to go the extra mile and make the output reproducible.\nThis might result in loss of time- and random-based values.'
   })
@@ -101,7 +97,6 @@ class SBOMCommand extends BaseCommand {
       outputFormat: parseOutputFormat(this.outputFormat),
       outputFile: parseOutputFile(workspace.cwd, this.outputFile),
       componentType: parseComponenttype(this.componentType),
-      licenses: this.licenses,
       reproducible: this.reproducible
     })
   }

sources/sbom.ts

@@ -22,15 +22,12 @@ import {
   type Configuration,
   type Locator,
   type LocatorHash,
-  type Manifest,
-  type Package,
   type Project,
   structUtils,
   type Workspace
 } from '@yarnpkg/core'
 import { type PortablePath, xfs } from '@yarnpkg/fslib'
 import { PackageURL } from 'packageurl-js'
-import * as ids from 'spdx-license-ids/index.json'
 
 import {
   type BuildtimeDependencies,
@@ -40,8 +37,7 @@ import {
 
 const licenseFactory = new CDX.Factories.LicenseFactory()
 const npmPurlFactory = new CDX.Factories.PackageUrlFactory('npm')
-const externalReferenceFactory =
-  new CDX.Factories.FromNodePackageJson.ExternalReferenceFactory()
+const externalReferenceFactory = new CDX.Factories.FromNodePackageJson.ExternalReferenceFactory()
 const componentBuilder = new CDX.Builders.FromNodePackageJson.ComponentBuilder(
   externalReferenceFactory,
   licenseFactory
@@ -58,8 +54,6 @@ export interface OutputOptions {
   /** Output file name. */
   outputFile: PortablePath | typeof stdOutOutput
   componentType: CDX.Enums.ComponentType
-  /** If component licenses shall be included. */
-  licenses: boolean
   reproducible: boolean
 }
 
@@ -83,15 +77,13 @@ export async function generateSBOM (
   const allDependencies = await traverseWorkspace(
     project,
     workspace,
-    config,
-    outputOptions.licenses
+    config
   )
   const componentModels = new Map<LocatorHash, CDX.Models.Component>()
   // Build models without their dependencies.
   for (const pkgInfo of allDependencies) {
     const component = packageInfoToCycloneComponent(
       pkgInfo,
-      outputOptions.licenses,
       outputOptions.reproducible
     )
     componentModels.set(pkgInfo.package.locatorHash, component)
@@ -226,7 +218,6 @@ function getAuthorName (manifestRawAuthor: unknown): string | undefined {
  */
 function packageInfoToCycloneComponent (
   pkgInfo: PackageInfo,
-  licenses: boolean,
   reproducible: OutputOptions['reproducible']
 ): CDX.Models.Component {
   const manifest = pkgInfo.manifest
@@ -248,12 +239,6 @@ function packageInfoToCycloneComponent (
   // @FIXME dont use any `locatorhash` for this purpose - but maybe something that is actually universally reproducible?
   // -- like `package-name@version` - which is a discriminated unique value for yarn universe
   component.bomRef.value = pkgInfo.package.locatorHash
-  if (licenses) {
-    addLicenseInfo(manifest, pkgInfo, component)
-  } else {
-    // @FIXME why should this be needed anyway?
-    component.licenses.clear()
-  }
 
   const devirtualizedLocator = structUtils.ensureDevirtualizedLocator(
     pkgInfo.package
@@ -292,84 +277,3 @@ function gitHubPackagePurl (
   }
   return undefined
 }
-
-/**
- * Adds license data to component if available.
- * @FIXME remove this license attachment as it isi just wrong
- */
-function addLicenseInfo (
-  manifest: Manifest,
-  pkgInfo: PackageInfo,
-  component: CDX.Models.Component
-): void {
-  if (component.licenses.size === 1) {
-    const license = component.licenses.values().next().value
-    // eslint-disable-next-line  @typescript-eslint/strict-boolean-expressions
-    if (pkgInfo.licenseFileContent &&
-      (license instanceof CDX.Models.NamedLicense ||
-        license instanceof CDX.Models.SpdxLicense)
-    ) {
-      license.text = new CDX.Models.Attachment(pkgInfo.licenseFileContent)
-    }
-  } else if (component.licenses.size === 0) {
-    attemptFallbackLicense(manifest, pkgInfo.package, component)
-  }
-}
-
-/**
- * Attempts to parse bogus but unambigous licenses and augments the component model.
- * @FIXME remove this license guessing as iti is incomplete and wrong
- */
-function attemptFallbackLicense (
-  manifest: Manifest,
-  pkg: Package,
-  component: CDX.Models.Component
-): void {
-  // eslint-disable-next-line  @typescript-eslint/strict-boolean-expressions
-  if (manifest.raw.license) {
-    process.stderr.write(
-      `Package ${structUtils.stringifyLocator(
-        pkg
-      )} has invalid "license" property. See https://docs.npmjs.com/cli/v10/configuring-npm/package-json#license\n`
-    )
-    // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-    if (ids.includes(manifest.raw.license?.type)) {
-      process.stderr.write(
-        `Adding ${
-          manifest.raw.license?.type
-        } as fallback for ${structUtils.stringifyLocator(pkg)}\n`
-      )
-      component.licenses.add(
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-        licenseFactory.makeFromString(manifest.raw.license?.type)
-      )
-    }
-  } else
-    // eslint-disable-next-line @typescript-eslint/strict-boolean-expressions
-    if (manifest.raw.licenses) {
-      process.stderr.write(
-      `Package ${structUtils.stringifyLocator(
-        pkg
-      )} has invalid "licenses" property. See https://docs.npmjs.com/cli/v10/configuring-npm/package-json#license\n`
-      )
-      if (
-        Array.isArray(manifest.raw.licenses) &&
-      manifest.raw.licenses.every((outdatedLicense) =>
-        // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-        ids.includes(outdatedLicense.type)
-      )
-      ) {
-        for (const outdatedLicense of manifest.raw.licenses) {
-          process.stderr.write(
-          `Adding ${
-            outdatedLicense.type
-          } as fallback for ${structUtils.stringifyLocator(pkg)}\n`
-          )
-          component.licenses.add(
-          // eslint-disable-next-line @typescript-eslint/no-unsafe-argument
-            licenseFactory.makeFromString(outdatedLicense.type)
-          )
-        }
-      }
-    }
-}

sources/traverseUtils.ts

@@ -27,7 +27,6 @@ import {
   ThrowReport,
   type Workspace
 } from '@yarnpkg/core'
-import { type FakeFS, type PortablePath, ppath } from '@yarnpkg/fslib'
 
 /**
  * Output structure of "yarn info --json"
@@ -44,7 +43,6 @@ export interface PackageInfo {
   package: Package
   manifest: Manifest
   dependencies: Set<LocatorHash>
-  licenseFileContent?: string
 }
 
 // Modelled after traverseWorkspace in https://github.com/yarnpkg/berry/blob/master/packages/plugin-essentials/sources/commands/info.ts#L88
@@ -55,8 +53,7 @@ export interface PackageInfo {
 export async function traverseWorkspace (
   project: Project,
   workspace: Workspace,
-  config: Configuration,
-  extractLicenses: boolean
+  config: Configuration
 ): Promise<Set<PackageInfo>> {
   // Instantiate fetcher to be able to retrieve package manifest. Conversion to CycloneDX model needs this later.
   const cache = await Cache.find(config)
@@ -96,38 +93,28 @@ export async function traverseWorkspace (
 
     const fetchResult = await fetcher.fetch(pkg, fetcherOptions)
     let manifest: Manifest
-    let licenseFileContent: string | undefined
     try {
       manifest = await Manifest.find(fetchResult.prefixPath, {
         baseFs: fetchResult.packageFs
       })
-      if (extractLicenses) {
-        licenseFileContent = readLicenseFile(
-          fetchResult.prefixPath,
-          fetchResult.packageFs
-        )
-      }
     } finally {
       fetchResult.releaseFs?.()
     }
     const packageInfo: PackageInfo = {
       package: pkg,
       manifest,
-      dependencies: new Set(),
-      licenseFileContent
+      dependencies: new Set()
     }
     seen.add(hash)
     allPackages.add(packageInfo)
 
-    // pkg.dependencies has dependencies+peerDependencies for transitve dependencies but not their devDependencies.
+    // pkg.dependencies has dependencies+peerDependencies for transitive dependencies but not their devDependencies.
     for (const dependency of pkg.dependencies.values()) {
       const resolution = project.storedResolutions.get(
         dependency.descriptorHash
       )
       if (typeof resolution === 'undefined') {
-        throw new Error(
-          'All package descriptor hashes should be resolvable for consistent lockfiles.'
-        )
+        throw new Error('All package descriptor hashes should be resolvable for consistent lockfiles.')
       }
       packageInfo.dependencies.add(resolution)
 
@@ -139,26 +126,3 @@ export async function traverseWorkspace (
 
   return allPackages
 }
-
-const fileNameOptions = ['license', 'licence', 'unlicense', 'unlicence']
-const fileNameOptionsStart = fileNameOptions.map((name) => name + '.')
-
-function readLicenseFile (
-  packageRoot: PortablePath,
-  packageFs: FakeFS<PortablePath>
-): string | undefined {
-  const files = packageFs.readdirSync(packageRoot).filter((f) => {
-    const lowerFileName = f.toLocaleLowerCase()
-    return (
-      fileNameOptions.includes(lowerFileName) ||
-      fileNameOptionsStart.some((option) => lowerFileName.startsWith(option))
-    )
-  })
-  for (const licenseFile of files) {
-    const path = ppath.join(packageRoot, licenseFile)
-    if (packageFs.existsSync(path)) {
-      return packageFs.readFileSync(path).toString()
-    }
-  }
-  return undefined
-}